While the EU-U.S. Privacy Shield program has been the subject of much consternation, be it due to Trump administration executive orders or advocate-group lawsuits, the program continues to churn forward eight months after the U.S. Department of Commerce began taking applications on Aug. 1, 2016 and just a few months out from its first annual review.
Already, reported U.S. Commerce Department Shield program administrator Caitlin Fennessy at the recent IAPP Data Protection Intensive in London, 1,800 companies have self-certified through the Shield program, with another 300 applications in the process. Those 2,100 companies would represent roughly half of the companies that were participating in the Safe Harbor program at the end of its 10-year run.
Who are these companies? Fennessy reported a heavy number of small-to-medium-sized enterprises, with some 70 percent reporting 500 or fewer employees. However, as these companies are heavily slanted toward the technology and consulting sectors, they’re already reporting significant revenue: About 45 percent are over $25 million annually, with 15 percent above $500 million.
Perhaps most significantly, however, data subjects appear to be happy with the program as it seeks to provide assurances about the protection of their data when it leaves the European Union.
While the complaints process is now in place, and Commerce reports progress in creating the Arbitral Panel that would mediate complaints as a last-resort option, no one as yet appears to have lodged a complaint that an organization could not resolve on its own.
Geraldine Dersley, head of legal profession at the U.K.’s Information Commissioner’s Office, reported “no valid complaints” when asked if her office had received any.
Geraldine Dersley, head of legal profession at the U.K.’s Information Commissioner’s Office, reported “no valid complaints” when asked if her office had received any. And, as ICO liaison to the Article 29 Working Party’s international data transfers working group, she reported she’s aware of “less than a handful” of complaints, and nothing that rose to significance, EU-wide.
Hugh Stevenson, deputy director at the U.S. Federal Trade Commission’s Office of International Affairs, similarly reported that there had been no referrals to his office from any EU data protection authority.
However, the point was made, complaints arriving at the desks of regulators or Commerce would indicate that a company was unable to address the complaint themselves to a data subject’s satisfaction.
“I was a member of the Safe Harbor [complaints handling] panel,” said Dersley, “and there were only a limited number of complaints there. … The Americans take customer service much more seriously than EU firms, and they deal with it in that context. They deal with it as a business complaint; it doesn’t get flagged as a data protection complaint, and the customer might not seek further redress.”
In addition, one way they might seek further redress is through independent recourse mechanisms, known as IRMs. However, Frances Henderson, VP and national director for privacy initiatives at the Council of Better Business Bureaus, which serves as an IRM, said they haven’t yet seen Privacy Shield complaints either.
“Right now, we haven’t received any relevant complaints about Privacy Shield,” she said. “Usually, they’re about companies that are not in the Privacy Shield program.” In fact, she noted, many contacts seemed to wish there were a program like Privacy Shield in the United States to which they could hold companies accountable.
Going by her experience with Safe Harbor, however, where BBB did receive and process many complaints, “organizations do have an interest in resolving these complaints as quickly as possible.”
So, why no Shield complaints? “That’s probably simply a factor of it being a very new program,” Henderson said.
One thing to watch, noted Fennessy, is that the Privacy Shield program includes something Safe Harbor did not: a detailed annual reporting requirement for IRMs. “So,” she said, “when we get that review, we’ll have public reports from the various IRMs about the complaints they’ve seen, in anonymized form, and how they’ve been handled. And that will be very useful as we go into this review process and help us to build and improve the system.”